It's not that we are bad, it's that we just don't care anymore.
I'd love to see how much worse these phishing email clicks get when an entire generation gets 2% raises next year on the backdrop of 20+% inflation in food and bills.
It's just as you suspected: your Gen Z and millennial coworkers just aren't taking cybersecurity at work seriously enough. Professional services firm EY made that determination after speaking to 1,000 US workers whose current job requires the use of a work-issued laptop/computer a majority of the time. While 83 percent of …
"disregard mandatory IT updates for as long as possible"
Yes, as they *know* that "update" is a downgrade in everything: Actually useful features, usability and outlook. And introduces bunch of new bugs without repairing old ones. No-one sane installs those.
Funny how YT totally wipes reality off the board and whines about one minor aspect (to the user) of the whole.
> Yes, as they *know* that "update" is a downgrade in everything:
Ha, reminds me of a highly amusing (for me) argument with a MS support person.
This doesn't work on W10 does it
But it does on W7
So can I have an upgrade from W10 to W7
Errrr that not an upgrade Sir, that's a downgrade
How can moving from it doesn't work to it does work be considered as a downgrade and not an upgrade. The system is down as it is, it can't go down any further, the only way from here is up
Errrrrrr it's still a downgrade... IErrrrrrrr ... 'll send you the kit
Its also because of increasing update fatigue. You're in the middle of working and are focussed, but then Office needs to install updates. No sooner than that is done, Windows needs to install updates and reboot. After this, Adobe Reader needs to install some updates. Finally you're working and focussed again, but no - Windows needs to install more updates. Its just an HP keyboard driver this time, but it is yet another disrupting reboot.
You pull your phone out to check it whilst Windows rebooted, "updates are available".
Hardly a surprise that more and more people just reach for the "sod off as long as possible" button. Updates are relentless, disruptive and rarely bring anything visibly useful (I know, Security and all that, but this isn't end-user facing). The whole concept and mechanism of updates needs rethinking to make it as quick and seamless as possible.
As for passwords, how many companies supply staff with a decent password manager? If you want staff to use strong and unique passwords, supply a password manager.
Yes. On a sane operating system you can update a ton of stuff (even in the background, if you configure it that way), and it will not tell you to close programs (firefox will tell you to "reload", though), and stuff just keeps working. No need to reboot just now. At least we no longer have to reboot Windows when we change a network setting. That sucked almightily. I run Debian / Devuan Stable on my own machines. I know that any update is security related. I install them as soon as possible. If I would run a faster changing OS, then I would be more careful - it will be new software versions now and then, and these might break my workflow (in fact they have, but that was Debian unstable, about ten, maybe 15 years ago, and I was fully aware of living on the edge).
Plus the implementation of how software is rolled out to users' machines matters. There are some software distribution programs that tell you to close this program because that one needs to be updated. Sucks. Big time.
> Its also because of increasing update fatigue
It's also (IMHO mostly) because of the absolutely brain dead way Windows handles updates.
I've shortly used Win11, after many years of using Linux, and was appalled: About all kinds of update seem to require a (very) slow reboot, and they come sequentially instead of all at the same time. It's annoying and a waste of time even on a brand new high-end computer with fast SSDs, I can only guess what it must be like on older hardware with spinning rust HDs. "Nightmarish" comes to mind.
On Linux the only thing requiring a reboot seems to be a kernel upgrade (and even that only requires you reboot eventually, when it suits you, like for instance when you've finished using the computer for the day).
And for application updates, MSI is astonishingly slow. (The same applies to VSIX and other MS installers.) I can't figure out how Microsoft managed to create an installer technology that can take close to an hour to remove one version of a product and install another. I can create a VM and install an entire Linux distribution in the time it takes some Windows products to install a new version.
That's because as powerful as KeePass is, it isn't very user friendly for less IT-literate people. Loading/saving databases, adding entries to a database via an obscure icon, making sure that the entry name matches the website title so that auto-type works, remembering the auto-type keyboard combination are all fine for a power-user, but not user-friendly for the masses, unless you roll out addons for it that add browser extensions or something.
There are more user-friendly ones though - especially with a good browser extension. I use StickyPassword at home. If I have to register for a site, it automatically offers to generate a strong password and saves it to its database without me having to do anything other than click "OK". When I visit that website again, I don't have to click anything - it just logs in for me in a seamless manner. I'm sure many others work just as seamlessly also.
"KeePass isn't very user friendly for less IT-literate people"
How computer illiterate are these users you speak of?
I know technical ability is lacking in a lot of the population, but if they cannot even fathom a fucking GUI which has a manual (if they bothered to read it), what hope is there of them being able to even do the job involving a computer, for which they are employed!!!
Updates, maybe. But mostly I'd say impatience. It's a work machine. .They're working. A dialogue about cookies appears with the choice of "Accept" or "Go though a long winded routine of turning stuff off". They choose accept. And get on with working on the boss's machine. It's not their problem anymore once they've clicked.
The company I recently started working for actually does provide a password manager, but nobody uses it. They (the ignorant staff, and there are many) opt instead to store their passwords in notepad and leave it on-screen while being sat next to the ground floor window, oh and BTW, this company claims to be ISO 27001 accredited. I call BS, none of them lock their desktops when AFK, they have a really bad PSK for their IPSEC tunnels, not as bad as qwerty123 but its bad
I suspect the company went through the motions to achieve ISO 27001, ticking boxes etc, to clinch a deal which required this. Now the deal is clinched, they can go back to their same awful bad practices.
"You're in the middle of working and are focussed, but then Office needs to install updates."
The problem is your boss is expecting you to complete something and email them a copy or you promised a customer that you'd have the quote by the end of the day and you know that if you do the update, a whole S-ton of changes will have been made to the UI and it's going to take a couple of weeks to learn the new icons. You also hope they haven't deprecated the features you have grown to rely on or are part of macros that you use all of the time and will have to rework to get something like them working again. Most updates are crap to begin with. Some applications are at the pinnacle of what they are needed for to start with. All they might need is some clean up under the hood so it boots and runs faster. At the most, adding some import/export options might be useful and that's it. MS Word is massive bloatware. I find it much easier to do text stuff in a simple program just because the most used functions are in one toolbar. Excel is a horrible dog when it comes to big data sets that I'm using Igor instead. OS's are the same way. I'd be over the moon if they didn't change anything I can see, touch or taste, but worked on getting the footprint down and processes running much faster with nothing calling Google API's.
From personal experience, boomers to what ever is the current name of the generation, I think the same percentage of users are from the risk groups: Don't care at all, Don't know how to start the computer, Don't ask for help... no matter the generation, each one has people in the above categories.
Possibly a difference between some of us whose first meeting with a computer was a terminal at university with a username and a password and permissions and a big scary BOFH. And the younglings who have been used to clicking OK on their phones to get the new shiny since they were toddlers.
Now get off my virtual lawn you whippersnappers.
> and a big scary BOFH
And they really were scary they were and they were called Doug. I mean they'd use sarcasm
Vercotti Doug I was terrified of him. Everyone was terrified of Doug. I've seen grown men pull their own heads off rather than see Doug. Even Dinsdale was frightened of Doug.
Interviewer What did he do?
Vercotti He used sarcasm. He knew all the tricks, dramatic irony, metaphor, bathos, puns, parody, litotes and satire.
I think that experience helps a lot, but don't pretend that everyone in your generation got that. You got that. Many others came to computers later on when they were not shared and there was no scary BOFH to notice when they did their first stupid thing. You'd think that using these machines for decades would have helped, but you'd think using them all the time would as well and that doesn't either. Only learning about them helps, and many people never bothered taking that step.
Always a problem with self-reporting – it's very difficult or impossible to control for factors that significantly affect the quality of the reporting itself.
I do think, though, that there's no reason (empirical or theoretical) to believe "digital natives" are more likely to have a security mindset toward IT. And there are some reasons – vigilance fatigue, for example – to believe the converse.
So... 85% of Boomers don't actually know enough about a computer to realize they are lying as well, and the Gen-Xers that aren't lying themselves are currently employed in IT and trying to get the rest of the company to get their shit together?
(OK let's face it, there are still some Gen-Xers that are BOTH liars about their password and security habits and also work in IT)
Had a user who when asked their password so we could log in to their account gave Password3. Next time I needed to log in they had changed it, told me it was Password4. A while later we needed to log in to a random user to test something and I suggested trying Password5. It worked.
Jump forward a few months. A users account has been compromised and used to send phishing emails to clients. Guess which user.
In my defence, I did flag it up and in fact gave that user as an example when arguing against forced password changes.
If companies got rid of the requirements for upper case, lower case, numbers, special characters blablabla and just made users type in longer phrases that are more easily remembered, then the ...1,2,3 stuff wouldn't even happen.
Yes. The problem is that OSes like Windows have simple password-complexity switches that admins can turn on, but not decent passphrase-entropy estimators that are similarly easy to enable. And there's no option in Group Policy for "multiple character sets OR at least N characters".
OS manufacturers (Microsoft and Apple in particular) and other big players (notably Google and Amazon, for AWS) decided passphrases weren't interesting, and jumped on the TOTP and/or biometrics 2FA bandwagon instead, conveniently ignoring the failure modes of TOTP devices and biometrics.
"type in longer phrases that are more easily remembered, then the ...1,2,3 stuff wouldn't even happen."
Until the number of users being locked out rises due to typos. Have you seen the state of some peoples spelling these days? They can't survive without auto-correct and predictive text :-)
"All the words are spelled correctly."
Pace British English/American English (etc.) tomfoolery. But we should probably leave that discussion in the other thread, where it belongs.
For small values of belongs ...
I think my "generation" (~1987) is more savvy when it comes to the basic threats from email attachments and and things like that.
However they do open themselves to attack from all the many online services that they flippantly use which older generations don't. Similarly with phone apps. These tend to hit my generation more because they seem to love them.
So really I think it is education, there will be pros and cons, strengths and flaws in each generation as we use computers differently.
if we stopped making this so difficult for people.
Passwords need to go, their are no excuses, just businesses giving in to inertia. SSO and passkeys, if they were a few clicks for the admins to implement would bury a big chunk of this. Also, providing a decent password vault for your employees wouldn't hurt. I doesn't help that on both Macs and Windows boxes the password infrastructure is stuck in the 90's, and since so many systems try to pull from AD if you set password expiration, users inevitably get blocked trying to log into a system that can't successfully update their password. Bonus points for confused Mac users resetting their password on the windows/AD side and losing their keychain.
And then there is the patching issue. Windows patching is a crime against humanity at this point, and Apple has been nearly as bad with OSX updates. Both have been moving two steps forwards and 1.5 steps back since the Win 7/Leopard era. Installing updates is slow, needs admin rights, dumps unsaved work, and in many cases the user will lose all their open windows. The OS will nag them incessantly, but your choice as an admin is "Force install and reboot regardless of the howls" or to individually chase users down and pry the computer out of their hands to make them run the updates. Nagging pisses them off, and the prompts don't guide users through doing it properly, or in many cases make it easy for users without admin rights to request the updates be applied other then calling, opening a ticket or showing up at the IT office doorstep holding their laptop like a caricature of a pauper in some old Dickens novel.
"Please sir, may I have my system updates? It's been nagging something fierce, but when I hits OK it the progress bar stops after 25 min and she just says install failed! Try again?"
The young-uns will learn in time, once they have their credit broken, their bank accounts drained and/or their jobs lost as a result of their
blithely arrogantly cavalier attitudes about cybersecurity. After all, one can't be arsed to give a flying fuck about cybersecurity in one's lemming-like1 chase for the latest shiny.
Won't somebody think of the FOMO?
1OK, I know the lemming thing was faked, and real lemmings don't do that...do they?
People who put off restarting to install updates don't have time to close down each program, wait for Windows to update, restart, wait for Windows to update some more, log in, and open all their programs again because they have actual real work to do. They're usually younger employees as opposed to older managers.
nearly a half of Gen Z and millennials were "likely to accept web browser cookies on their work-issued devices all the time or often,"
Hmm. Couldn't rejecting all cookies be set by a work group policy? Which would make browsing 'interesting' given how many sites insist on setting 'necessary' cookies to allow basic functionality. The Google search page attempts to set six. Of course, I block most with uMatrix and automatically delete unnecessary ones on closing the tab, but I'm too old to be cavalier about cookie use.
> ranges for the four generations included in the report
It would be too quaint and uncool to call them by the actual years. Giving them fancy and slightly obscure names turns them into very distinct tribes, and thus reinforces the "us vs.them" feeling of each generation.
Age, sex (or lack thereof), color, religion/politics, we have so many things we can segregate by... :-(
And the generational-cohort terms were invented initially to describe economic trends in the US (the "Baby Boom", aka "Boomer", cohort was initially important because of its effects on things like school-system capacity), and then later to describe certain mainstream cultural trends, again in the US.1
Using those terms outside those contexts is already suspect, and far more suspect when used for people outside US mainstream culture.
It's pop-sociology bullshit, a pseudoscientific excuse to generalize with no real empirical basis.
1Most of the generational-cohort terms were coined by Howe & Strauss in 13th Gen, which was very much pop sociology and not any sort of attempt to be rigorous demographic or economic analysis. And I suspect the vast majority of people who like to throw around terms like "Boomer" and "Millennial" have never read 13th Gen (which is a pity, because it's pretty interesting if you don't take it as rigorous). Meanwhile, "Generation X" was coined by Copeland for a story collection, and he intended it to describe a considerably smaller group than what "Gen X" is now usually applied to. And H&S's "13er" was a better term anyway.
"It would be too quaint and uncool to call them by the actual years. Giving them fancy and slightly obscure names turns them into very distinct tribes, and thus reinforces the "us vs.them" feeling of each generation."
It seems to be primarily a US thing IME. Nothing must be known by it's proper name, everything must have a "cool sounding" new name. Now don't get wrong, the Yanks are great at coming up with new words and especially acronyms for projects and such, But PLEASE stop doing it to things that already have names. it just confuses everyone. But those "nicknames" do seem to catch on very very quickly across the US. It's like some sort of forced hothouse evolution of language. A recent one I've come across is the pronunciation of cache, as in a cache of treasure. Suddenly it's being pronounced "cachet" on all the US TV programmes (that use the word, ie not all of them, obviously). Seems to have started a year or two back, but pretty much every treasure hunting documentary seems to have switched now. Possibly, they are trying to sound sophisticated and have learned that cache is a French word so are trying to be too clever and think it's pronounced caché :-)
"pretty much every treasure hunting documentary"
Consider the source. It's not like the producers, actors, script-writers and intended targets are the sharpest tools in the shed.
For the record, I've only heard it called "cache" by the vast majority of the population (the Jr. High set has just discovered geo caching ... ).
"only 41 percent of EY's respondents said they were confident they could identify a phishing attempt, and only 38 percent were confident they could avoid ransomware."
Sure. I'm.... more or less confident. I could craft a website that would fool me, and I guess many others. Do phishers go that length? For "spearphishing" I guess. Am I confident I would spot that? Not really. If they want to get me they will get me. I would get me. Same with ransomware. I don't browse questionable websites, I do not download questionable files and run them, I keep my system more or less up to date. If there's a zero day exploit out there that is wormable they will get me. Boom. That's it.
So, no, I am not confident I can avoid it. I am confident that I do the most basic things to avoid phishing and ransomware and the resulting mayhem. This makes me a more difficult target than others. Like locking your bike. The lock has to be better than that of the other bikes, and the bike has to be less shiny than the others. Saint Florian principle ("Heiliger St Florian, beschütz mein Haus zünd and're an!" Holy St Florian, protect my house, burn others) applied to security. Sorry.
Indeed, there have been studies which show (for some value of "show") that IT workers are more likely to fall for certain classes of attacks because they're more likely to overrate their own security skills and practices.
Confidence in your own vigilance is not a good sign.
Cory Doctorow's story of how he got phished is a useful example of how security awareness only goes so far, and perfect vigilance is impossible. Humans aren't great at vigilance, and the systems we use aren't great at proving their authenticity.
There is no security risk in accepting cookies. You may prefer to be anonymous and not to receive personalised advertising, and if you care about privacy at all you probably don't want advertising companies knowing which sites you visit. But it's not a security risk.
Plus some sites have in the past used the bad habit of storing various credential tokens, session ids etc in cookies - in cases where creds have a reasonable lifetime then malicious attack could use creds info in cookie to impersonate you on the relevant website and exploit away.
This type of bad practice is (hopefully) on the wane, but in general web devs far too often store a lot of data in cookies that they shouldn't as security seems way down priority list compared to churning out zillions of lines of JS code for what could easily be done as a static site
"Plus some sites have in the past used the bad habit of storing various credential tokens, session ids etc in cookies - in cases where creds have a reasonable lifetime then malicious attack could use creds info in cookie to impersonate you on the relevant website and exploit away."
That is bad, but unrelated to storing the cookie. If you don't store the cookie, then you will be asked to log in next time because you won't present the cred, but the site would still accept it if you did. If you have malware watching the connection, either resident on your device or intercepting the traffic, then whether or not you save that data, the malware can get a copy and use it. That's a problem with the site and setting the option to immediately delete cookies will not fix it.
Any information you give away is a potential security risk
Or more formally, for any action which leaks information from the system under consideration, there's a threat model under which that action increases risk.
Claiming that something "isn't a security risk" without specifying the threat model means that either you (i.e. the original poster) is not interested in being rigorous, or doesn't know much about security. In either case we can probably ignore that claim and its supporting argument.
"Two pieces of information commonly sent are your browser and OS. Oh, and there's the time and possibly your location."
These are not in cookies. Browser and OS are in the user agent header. If you set your browser to delete all cookies, it will not change that header. Time is known by the server because it's processing your request and it has a clock on it. Location is from your IP address, so if you're directly connecting to the server, they can use that to take a guess. None of that data will be protected if you disable cookies. The only thing it does is to hopefully make it harder to fingerprint you if your location changes.
There are still privacy risks, and privacy of a company's information can be of security importance, but it's useful to know what cookies do and what they don't.